SERVICE · CUSTOM BUILD · FIXED FEE
Custom defensive tooling: hardened MCP servers, attestation pipelines, prompt-injection monitoring, agent-loop circuit breakers, automated red-team CI. Built to your stack. Maintained on retainer if you want it.
What we build
Six representative deliverable shapes. Any combination, scoped fixed-fee. Code lands in your repos under your license.
01 · HARDENED MCP SERVER
Drop-in replacement for an existing MCP server with tool-description pinning, parameter validation, per-tool trust labels, sandbox-enforced code execution, and audit logging. Production-grade, your-stack-native.
02 · ATTESTATION PIPELINE
Cryptographic supply-chain attestation for MCP servers and tools: sign at build, verify at load, alert on drift. Integrates with sigstore/cosign or your existing PKI.
03 · PROMPT-INJECTION MONITORING
Runtime detection of indirect prompt injection in retrieved content and tool outputs. Per-tenant alerting, replayable traces, integrates with your SIEM.
04 · AGENT-LOOP CIRCUIT BREAKERS
Iteration ceilings, exponential cost backoff, runaway-recursion detection for production agents. Tunable per-customer. Prevents the $50k OpenAI bill from a single bad prompt.
05 · AUTOMATED RED-TEAM CI
Five Surfaces battery as a GitHub Action / GitLab pipeline. Runs on every PR touching agent code or MCP configs. Fails the build on new high-severity findings. mcp-fuzzer-powered.
06 · TELEMETRY-HARDENING PASS
Strip sensitive content from OTLP spans, sanitize tool input/output before logging, tenant-scope log queries, redact secrets surfaced in error paths. Compliance-grade observability.
The process
- 01
Scope (1 week)
Joint scoping session. Define deliverable boundaries, integration points, success criteria. Fixed-fee proposal back within 48 hours.
- 02
Build (2-8 weeks)
Iterative builds with weekly demos. Code lands in your repos, your CI, your infra. Lance commits as a contractor under your usual access controls.
- 03
Hand-off (1 week)
Documentation, runbooks, on-call handover. Optional 30-day stabilization window where Lance is on standby for issues at no extra cost.
- 04
Retainer (optional)
Monthly retainer for maintenance, new attack-class coverage, and incident response. Cancellable any time, no auto-renew.
Who it's for
- Platform teams shipping MCP servers in production who don't want to build hardening from scratch
- AI feature teams whose threat model just outgrew the AppSec team's bandwidth
- Post-audit organizations where the audit surfaced a gap they need closed quickly
- Greenfield deployments where security gets built in from day 1 instead of bolted on after
- Compliance-driven builds — EU AI Act, ISO/IEC 42001, customer security requirements that demand specific controls
FAQ
What kinds of things do you build?
Defensive tooling for AI systems: hardened MCP servers as drop-in replacements, attestation pipelines for supply-chain integrity, prompt-injection monitoring with SIEM integration, agent-loop circuit breakers, automated Five Surfaces red-team in CI, and telemetry-hardening passes. Anything that ships, runs, and reduces the attack surface of an LLM-backed system in production.
How does this differ from the Audit service?
An audit finds the problems. A custom build ships the fix. Many engagements start with an audit, surface a specific gap (e.g., "your MCP server is exposing unsigned tool descriptions"), and continue into a build to close it. Some teams skip the audit and come straight to build because they already know what they need — that's fine.
What does it cost?
Fixed-fee per deliverable, scoped after a 1-week joint scoping session. Typical projects: $35k-$150k depending on integration complexity. Retainers for ongoing maintenance: $8k-$25k/month. No hourly creep, no scope drift — if we underestimated, that's our problem. Mutual scope-change agreement required for extension.
Who owns the code?
You do. All code lands in your repos under your license. Lance commits as a contractor under your usual access controls. No vendor lock-in, no hosted-by-Vectorbreak dependency — the deliverable runs entirely in your infrastructure. Open-source components are flagged in the proposal; we'll only pull in what you've already approved or what you OK during scope.
Can you maintain it for us?
Optional monthly retainer covers maintenance, new attack-class coverage as the threat landscape evolves, and incident response on the tooling Vectorbreak built. Pricing scales with scope: $8k/month covers one piece of tooling under low maintenance burden; $25k/month covers a full suite under active development. Cancellable any time, no auto-renew.
Do you do greenfield AI security work or only retrofitting?
Both. Greenfield: integrate security into your AI architecture from day 1 — sandbox design, MCP server scaffolding, monitoring instrumentation, agent-loop limits. Retrofit: take an existing production system and ship hardening upgrades that don't require a full rewrite. Greenfield is typically faster and cheaper because we're not working around existing decisions.
NEXT
Scope a buildout.
Tell us what you need shipped. Fixed-fee proposal back within 48 hours.